[joshlk]

Uploading dummy packages to PyPi isn't the solution. It just pollutes PyPi and a nuisance to others.

You have always been able to specify the `index-url` when installing packages using pip. This can also be added to `requirements.txt` files as well.

[mbag]

Yes, if you have packages on the artifactory the `index-url` is always a way to go. However, if you forget to specify `no-index`, you might not get what you wanted, see [1] for how packages are found. And it's easy to make such mistake when using local resources (you forget to set proxy or internal DNS, new developer is not familiar with the setup and does plain `pip install`, internal server is temporarily unreachable).

>It just pollutes PyPi and a nuisance to others. I agree, but so are the packages that are no longer maintained. You also reserve pakcage name if you decide to opensource it. Furthermore, by creating package you are leaking metadata about your organization, i.e. some functionality can be inferred from package names.

And sure you can train and try to enforce security awareness, but your people need to be right 100% of the time, while attackers need them to make only one mistake. Similar with namesquatting of the popular packages.

https://pip.pypa.io/en/stable/reference/pip_install/#finding...